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Abstract 

In this paper we resolve an open problem regarding resettable zero knowl- 
edge in the bare public-key (BPK for short) model: Does there exist constant 
round resettable zero knowledge argument with concurrent soundness for 
MV in BPK model without assuming sub-exponential hardness'] We give a 
positive answer to this question by presenting such a protocol for any lan- 
guage in AfV in the bare public-key model assuming only collision-resistant 
hash functions against polynomial-time adversaries. 

Key Words. Resettable Zero Knowledge, Concurrent Soundness, Bare Public- 
Key Model, Resettably sound Zero Knowledge. 

1 Introduction 

Zero knowledge (ZK for short) proof, a proof that reveals nothing but the valid- 
ity of the assertion, is put forward in the seminal paper of Goldwasser, Micali 
and Rackoff lfl5l . Since its introduction, especially after the generality demon- 
strated in lH4l . ZK proofs have become a fundamental tools in design of some 
cryptographic protocols. In recent years, the research is moving towards extend- 
ing the security to cope with some more malicious communication environment. 
In particular, Dwork et al. [1 2 1 introduced the concept of concurrent zero knowl- 
edge, and initiate the study of the effect of executing ZK proofs concurrently in 
some realistic and asynchronous networks like the Internet. Though the concur- 
rent zero knowledge protocols have wide applications, unfortunately, they requires 
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logarithmic rounds for languages outside BVV in the plain model for the black- 
box case and therefore are of round inefficiency. In the Common Reference 
String model, Damgaard [6| showed that 3-round concurrent zero-knowledge can 
be achieved efficiently. Surprisingly, using non-black-box technique, Barak HI 
constructed a constant round non-black-box bounded concurrent zero knowledge 
protocol though it is very inefficient. 

Motivated by the application in which the prover (such as the user of a smart 
card) may encounter resetting attack, Canetti et al. |4| introduced the notion of re- 
settable zero knowledge (rZK for short). An rZK formalizes security in a scenario 
in which the verifier is allowed to reset the prover in the middle of proof to any 
previous stage. Obviously the notion of resettable zero knowledge is stronger than 
that of concurrent zero knowledge and therefore we can not construct a constant 
round black-box rZK protocol in the plain model for non-trivial languages. To 
get constant round rZK, the work [4| also introduced a very attracting model, the 
bare public-key model(BPK). In this model, Each verifier deposits a public key 
pk in a public file and stores the associated secret key sk before any interaction 
with the prover begins. Note that no protocol needs to be run to publish sk, and 
no authority needs to check any property of pk. Consequently the BPK model is 
considered as a very weak set-up assumption compared to previously models such 
as common reference model and PKI model. 

However, as Micali and Reyzin [18| pointed out, the notion of soundness in 
this model is more subtle. There are four distinct notions of soundness: one time, 
sequential, concurrent and resettable soundness, each of which implies the pre- 
vious one. Moreover they also pointed out that there is NO black-box rZK sat- 
isfying resettable soundness for non-trivial language and the original rZK argu- 
ments in the BPK model of [4| does not seem to be concurrently sound. The 
4-round(optimal) rZK arguments with concurrent soundness in the bare public- 
key model was proposed by Di Crescenzo et al. in fTUl and also appeared in 041 . 

All above rZK arguments in BPK model need some cryptographic primitives 
secure against sub-exponential time adversaries, which is not a standard assump- 
tion in cryptography. Using non-black-box techniques, Barak et al. obtained a 
constant-round rZK argument of knowledge assuming only collision-free hash 
functions secure against supperpolynomial-time algorithms 1 , but their protocol 
enjoys only sequential soundness. The existence of constant round rZK arguments 
with concurrent soundness in BPK model under only polynomial-time hardness 

'using idea from|3|, this results also holds under standard assumptions that there exist hash 
functions that are collision-resistent against all polynomial-time adversaries. 
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assumption is an interesting problem. 

Our results. In this paper we resolve the above open problem by presenting a 
constant-round rZK argument with concurrent soundness in BPK model for NT 
under the standard assumptions that there exist hash functions collision-resistant 
against polynomial time adversaries, We note that our protocol is a argument of 
knowledge and therefore the non-black-box technique is inherently used. 

In our protocol, we use the resettably-sound non-black-box zero knowledge 
argument as a building block in a manner different from that in 0: instead of 
using it for the verifier to prove the knowledge of its secret key, the verifier uses 
it in order to proves that a challenge matches the one he committed to in a pre- 
vious step. This difference is crucial in the concurrent soundness analysis of our 
protocol: we just need to simulate only one execution among all concurrent execu- 
tions of the resettably-sound zero knowledge argument for justifying concurrent 
soundness, instead of simulating all these concurrent executions. 

2 Preliminaries 

In this section we recall some definitions and tools that will be used later. 

In the following we say that function f{n) is negligible if for every polynomial 
q(ri) there exists an N such that for all n > N, f(n) < l/q(n). We denote by 
5 <— r A the process of picking a random element 5 from A. 

The BPK Model.The bare public-key model(BPK model)assumes that: 

• A public file F that is a collection of records, each containing a verifier's 
public key, is available to the prover. 

• An (honest)prover Pis an interactive deterministic polynomial-time algo- 
rithm that is given as inputs a secret parameter 1™, a n-bit string x £ L, an 
auxiliary input y, a public file F and a random tape r. 

• An (honest) verifier V is an interactive deterministic polynomial-time algo- 
rithm that works in two stages. In stage one, on input a security parameter 
l n and a random tape w, V generates a key pair (pk, sk) and stores pk in 
the file F. In stage two, on input sk, an n-bit string x and an random string 
w, V performs the interactive protocol with a prover, and outputs "accept 
x" or "reject x". 
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Definition 2.1 We say that the protocol < P, V > is complete for a language L 
in HV, if for all n-bit string x G L and any witness y such that (x, y) G Rl, here 
Rl is the relation induced by L, the probability that V interacting with P on input 
y, outputs "reject x" is negligible in n. 

Malicious provers and Its attacks in the BPK model. Let s be a positive 
polynomial and P* be a probabilistic polynomial-time algorithm on input l n . 

P* is a s-concurrent malicious prover if on input a public key pk of V, per- 
forms at most s interactive protocols as following: 1) if P* is already running i — 1 
interactive protocols 1 < i — 1 < s, it can output a special message "Starting Xj," 
to start a new protocol with V on the new statement x^, 2) At any point it can 
output a message for any of its interactive protocols, then immediately receives 
the verifier's response and continues. 

A concurrent attack of a s-concurrent malicious prover P* is executed in this 
way: 1) V runs on input 1™ and a random string and then obtains the key pair 
(pk,sk); 2) P* runs on input 1" and pk. Whenever P* starts a new protocol 
choosing a statement, V is run on inputs the new statement, a new random string 
and sk. 

Definition 2.2 < P, V > satisfies concurrent soundness/or a language L if for all 
positive polynomials s, for all s-concurrent malicious prover P*, the probability 
that in an execution of concurrent attack, V ever outputs "accept x" for x ^ Lis 
negligible in n. 

The notion of resettable zero-knowledge was first introduced in 0|. The no- 
tion gives a verifier the ability to rewind the prover to a previous state (after 
rewinding the prover uses the same random bits), and the malicious verifier can 
generate an arbitrary file F with several entries, each of them contains a public key 
generated by the malicious verifier. We refer readers to that paper for intuition of 
the notion. Here we just give the definition. 

Definition 2.3 An interactive argument system < P, V > in the BPK model is 
black-box resettable zero-knowledge if there exists a probabilistic polynomial- 
time algorithm S such that for any probabilistic polynomial-time algorithm V*, 
for any polynomials s, t,for any Xi G L, the length of Xi is n, i = 1, s(n), V* 
runs in at most t steps and the following two distributions are indistinguishable: 

1. the view ofV* that generates F with s(n) entries and interacts (even con- 
currently) a polynomial number of times with each P(xi, j, r k , F) where 
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Hi is a witness for x$ G L, rp. is a random tape and j is the identity of the 
session being executed at present for 1 < i, j, k < s(n); 

2. the output ofS interacting with on input x±, ...x s ( n y 

S-protocols A protocol < P, V > is said to be S-protocol for a relation R if it is 
of 3-move form and satisfies following conditions: 

1. Completeness: for all (x,y) G R, if P has the witness y and follows the 
protocol, the verifier always accepts. 

2. Special soundness: Let (a, e, z) be the three messages exchanged by prover 
P and verifier V. From any statement x and any pair of accepting transcripts 
(a, e, z) and (a, e', z') where e ^ e', one can efficiently compute y such that 

(x, y) g R. 

3. Special honest-verifier ZK: There exists a polynomial simulator M, which 
on input x and a random e outputs an accepting transcript of form (a, e, z) 
with the same probability distribution as a transcript between the honest P, 
V on input x. 

Many known efficient protocols, such as those in |[T6ll and (23) , are ^-protocols. 
Furthermore, there is a S-protocol for the language of Hamiltonian Graphs Q, 
assuming that one-way permutation families exists; if the commitment scheme 
used by the protocol in d is implemented using the scheme in ifT^ll from any 
pseudo-random generator family, then the assumption can be reduced to the exis- 
tence of one-way function families, at the cost of adding one preliminary message 
from the verifier. Note that adding one message does not have any influence on 
the property of S-protocols: assuming the new protocol is of form (f,a,e,z), 
given the challenge e, it is easy to indistinguishably generate the real transcript 
of form (f,a,e,z); given two accepting transcripts (f,a,e,z) and (f,a,e',z f ), 
where e ^ e', we can extract a witness easily. We can claim that any language 
in MV admits a 4-round S-protocol under the existence of any one-way function 
family (or under an appropriate number-theoretic assumption), or a S-protocol 
under the existence of any one-way permutation family. Though the following 
OR-proof refers only to 3-round S-protocol, readers should keep in mind that the 
way to construct the OR-proof is also applied to 4-round S-protocol. 

Interestingly, S-protocols can be composed to proving the OR of atomic state- 
ments, as shown in IDE)- Specifically, given two protocols S ^i for two rela- 
tionships Rq, Ri, respectively, we can construct a S 0fl -protocol for the following 
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relationship efficiently: R OR = ((x ,xi),y) : (x ,y) G R or(xi,y) G R\, as fol- 
lows. Let (xb, y) G Rb and y is the private input of P. P computes a b according 
the protocol £& using (xb,y). P chooses ei_i and feeds the simulator M guar- 
anteed by Hi-b with ei_b,a;i_6, runs it and gets the output (ai_&, ei_6, Zi-b). P 
sends a^, ai_j to V in first step. In second step, V picks e Z g and sends it 
to P. Last, P sets = e © ei_&, and computes the last message z b to the chal- 
lenge e b using x b , y as witness according the protocol S 6 . P sends e b , e\-b, z b ) 
and ei-b, to V. V checks e = e& © ei_&, and the two transcripts (a&, e&, 
and (ai_6, ei_6, Zi_;>) are accepting. The resulting protocol turns out to be witness 
indistinguishable: the verifier can not tell which witness the prover used from a 
transcript of a session. 

In our rZK argument, the verifier uses a 3-round Witness Indistinguishable 
Proof of Knowledge to prove knowledge of one of the two secret keys associating 
with his public key. As required in ifTTl . we need a partial-witness-independence 
property from above proof of knowledge: the message sent at its first round should 
have distribution independent from any witness for the statement to be proved. We 
can obtain such a protocol using [23 1 [ 8 ]. 

Commitment scheme. A commitment scheme is a two-phase (committing phase 
and opening phase) two-party (a sender S and a receiver P)protocol which has 
following properties: 1) hiding: two commitments (here we view a commitment as 
a variable indexed by the value that the sender committed to) are computationally 
distinguishable for every probabilistic polynomial-time (possibly malicious) R*; 
2) Binding: after sent the commitment to a value m, any probabilistic polynomial- 
time (possibly malicious) sender S* cannot open this commitment to another value 
m' 7^ m except with negligible probability. Under the assumption of existence of 
any one-way function families (using the scheme from [fl"9l and the result from 
IfTTl ) or under number-theoretic assumptions (e.g., the scheme from |[2~T1). we can 
construct a schemes in which the first phase consists of 2 messages. Assuming 
the existence of one-way permutation families, a well-known non-interactive (in 
committing phase) construction of a commitment scheme (see, e.g. |H3 |) can be 
given. 

A statistically -binding commitment scheme (with computational hiding) is a 
commitment scheme except with a stronger requirement on binding property: for 
all powerful sender S* (without running time restriction), it cannot open a valid 
commitment to two different values except with exponentially small probability. 
We refer readers to lfT3l \19\ for the details for constructing statistically-binding 
commitments. 
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A perfect-hiding commitment scheme (with computational binding) is the one 
except with a stronger requirement on hiding property: the distribution of the 
commitments is indistinguishable for all powerful receiver R* . As far as we know, 
all perfect-hiding commitment scheme requires interaction (see also ||2T1 120l0 in 
the committing phase. 

Definition 2.4 [13]. Let d,r : N — > N. we say that 

{/ s :{0,l} d(N) -{0,l} r(W) K e{ o,ir 
is an pseudorandom function ensemble if the following two conditions hold: 

1. 1. Efficient evaluation: There exists a polynomial-time algorithm that on 
input s and x G 0, l d ^ s '' returns f s (x); 

2. 2. Pseudorandomness: for every probabilistic polynomial-time oracle ma- 
chine M, every polynomial p(-), and all sufficient large n's, 

\[Pr[M Fn (l n ) = 1] - Pr[M H "{l n ) = 1]\ < l/p(n) 

where F n is a random variable uniformly distributed over the multi-set 
{f s }s£{o,i} n > an d H n is uniformly distributed among all functions mapping 
d{n) -bit-long strings to r(n) -bit-long strings. 

3 A Simple Observation on Resettably-sound Zero 
Knowledge Arguments 

resettably-sound zero knowledge argument is a zero knowledge argument with 
stronger soundness: for all probabilistic polynomial-time prover P*, even P* is 
allowed to reset the verifier V to previous state (after resetting the verifier V uses 
the same random tape), the probability that P* make V accept a false statement 
x ^ L is negligible. 

In Barak et al. transform a constant round public-coin zero knowledge 
argument < P, V > for a NT language L into a constant round resettably-sound 
zero knowledge argument < P, W > for L as follows: equip W with a collection 
of pseudorandom functions, and then let W emulate V except that it generate the 
current round message by applying a pseudorandom function to the transcript so 
far. 
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We will use a resettably-sound zero knowledge argument as a building block 
in which the verifier proves to the prover that a challenge matches the one that he 
have committed to in previous stage. The simulation for such sub-protocols plays 
a important role in our security reduction, but there is a subtlety in the simulation 
itself. In the scenario considered in this paper, in which the prover (i.e., the ver- 
ifier in the underlying sub-protocol)can interact with many copies of the verifier 
and schedule all sessions at its wish, the simulation seems problematic because 
we do not know how to simulate all the concurrent executions of the Barak's pro- 
tocol described below 2 (therefore the resettably-sound zero knowledge argument). 
However, fortunately, it is not necessary to simulate all the concurrent executions 
of the underlying resettably-sound zero knowledge argument. Indeed, in order to 
justify concurrent soundness, we just need to simulate only one execution among 
all concurrent executions of the resettably-sound zero knowledge argument. We 
call this property one-many simulatability . We note that Pass and Rosen E2ll 
made a similar observation (in a different context) that enables the analysis of 
concurrent non-malleability of their commitment scheme. 

Now we recall the Barak's constant round public-coin zero knowledge argu- 
ment [1|, and show this protocol satisfies one-many simulatability, and then so 
does the resettably-sound zero knowledge argument transformed from it. 

Informally, Barak's protocol for a HV language L consists of two subproto- 
col: a general protocol and a WI universal argument. An real execution of the 
general protocol generates an instance that is unlikely in some properly defined 
language, and in the WI universal argument the prover proves that the statement 
x £ L or the instance generated above is in the properly defined language. Let 
n be security parameter and {7i„}„ e N be a collection of hash functions where a 
hash function h £ H n maps {0, 1}* to {0, l} n , and let C be a statistically bind- 
ing commitment scheme. We define a language A as follows. We say a triplet 
(h, c, r) £ H n x {o, 1}™ x {o, l} n is in A, if there exist a program II and a string 
s £ {0, l}P° l y^ such that z = C{h{U), s) and n( z) = r within superpolynomial 
time (i.e., n^ l) ). 

The Barak's Protocol 0] 

Common input: an instance x £ L (\x\ = n) 

2 Barak also presented a constant round bounded concurrent ZK arguments, hence we can ob- 
tain a constant round resettably-sound bounded concurrent ZK argument by applying the same 
transformation technique to the bounded concurrent ZK argument. We stress that in this paper we 
do not require the bounded concurrent zero knowledge property to hold for the resettably-sound 
ZK argument. 
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Prover's private input: the witness w such that (x, w) E R L 
V -> P: Send /i < — ^ H n \ 

P -> V: Pick s < — r {0, l}P°^( n ) and Send c = C(/i(0 3n , s); 
y -> P: Send r {0, l} n ; 

P ^> V: A WI universal argument in which P proves x E L ox (h, c, r) 6 A. 

Fact 1. The Barak's protocol enjoys one-many simulatability . That is, For ev- 
ery malicious probabilistic polynomial time algorithm V* that interacts with (ar- 
bitrary) polynomial s copies of P on true statements {x^}, 1 < % < s, and 
for every j E {1,2, ...,s}, there exists a probabilistic polynomial time algo- 
rithm S, takes V* and all witness but the one for Xj, such that the output of 
S(V*, {(xi, Wi)}x<i<8,#j> x j) (where [x^Wj) E Rl) and the view of V* are in- 
distinguishable. 

We can construct a simulator S = (S rea j,S_j-) as follows: S rea i, taking as 
inputs {(xi, Wi)}i<i< S: i^j, does exactly what the honest provers do on these state- 
ments and outputs the transcript of all but the jth sessions (in jth session Xj E L 
is to be proven), and Sj acts the same as the simulator associated with Barak's 
protocol in the session in which Xj E L is to be proven, except that when Sj is 
required to send a commitment value (the second round message in Barak's pro- 
tocol), it commit to the hash value of the joint residual code of V* and S rea ; at 
this point instead of committing to the hash value of the residual code of V* (that 
is, we treat S f ea / as a subroutine of V*, and it interacts with V* internally). We 
note that the next message of the joint residual code of V* and S rea j is only deter- 
mined by the commitment message from Sj, so as showed in JT), Sj works. On 
the other hand, the S reai 's behavior is identical to the honest provers. Thus, the 
whole simulator S satisfies our requirement. 

When we transform a constant round public-coin zero knowledge argument 
into a resettably-sound zero knowledge argument, the transformation itself does 
not influence the simulatability (zero knowledge) of the latter argument because 
the zero knowledge requirement does not refer to the honest verifier (as pointed 
out in [ 2 1). Thus, the same simulator described above also works for the resettably- 
sound zero knowledge argument in concurrent settings. So we have 

Fact 2. The resettably-sound zero knowledge arguments in [0 enjoy one-many 
simulatability. 
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4 rZK Argument with Concurrent Soundness for 
MV in the BPK model Under Standard Assump- 
tion 

In this section we present a constant-round rZK argument with concurrent sound- 
ness in the BPK model for all NT language without assuming any subexponential 
hardness. 

For the sake of readability, we give some intuition before describe the protocol 
formally. 

We construct the argument in the following way: build a concurrent zero 
knowledge argument with concurrent soundness and then transform this argument 
to a resettable zero knowledge argument with concurrent soundness. Concurrent 
zero knowledge with concurrent soundness was presented in [ 1 1 1 under standard 
assumption (without using "complexity leveraging"). For the sake of simplifica- 
tion, we modify the flawed construction presented in ll26ll to get concurrent zero 
knowledge argument with concurrent soundness. Considering the following two- 
phase argument in BPK model: Let n be the security parameter, and / be a one 
way function that maps {0, to {0, l} n for some function k : N — > N. The 
verifier chooses two random numbers x , x\ G {0, l} re w, computes y = f(x ), 
V\ — f( x i) then publishes y , y\ as he public key and keep x or x\ secret. In 
phase one of the argument, the verifier proves to the prover that he knows one 
of xq, x\ using a partial-witness-independently Witness Indistinguishable Proof 
of Knowledge protocol II„. In phase two, the prover proves that the statement 
to be proven is true or he knows one of preimages of y and y\ via a witness in- 
distinguishable argument of knowledge protocol ILj. Note that In phase two we 
use argument of knowledge, this means we restrict the prover to be a probabilistic 
polynomial-time algorithm, and therefore our whole protocol is an argument (not 
a proof). 

Though the above two-phase argument does not enjoy concurrent soundness 
ifTTl . it is still a good start point and We can use the same technique in [11 ] in 
spirit to fix the flaw: in phase two, the prover uses a commitment scheme 3 COMi 
to compute a commitments to a random strings s, c = COMi(s, r) (r is a random 
string needed in the commitment scheme), and then the prover prove that the 
statement to be proven is true or he committed to a preimage of y or y x . We can 

3 In contrast to II II . we proved that computational binding commitment scheme suffices to 
achieve concurrent soundness. In fact, the statistically binding commitment scheme in II II could 
also be replaced with computational binding one without violating the concurrent soundness. 
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prove that the modified argument is concurrent zero knowledge argument with 
concurrent soundness using technique similar to that in [fTTTl. 

Given the above (modified) concurrent zero knowledge argument with concur- 
rent soundness, we can transform it to resettable zero knowledge argument with 
concurrent soundness in this way: 1) using a statistically -binding commitment 
scheme COM , the verifier computes a commitment c e = COM (e, r e ) (r e is a 
random string needed in the scheme) to a random string e in the phase one, and 
then he sends e (note that the verifier does not send r e , namely, it does not open the 
commitment c e ) as the second message (i.e the challenge) of TL P and prove that e 
is the string he committed to in the first phase using resettably sound zero knowl- 
edge argument; 2)equipping the prover with a pseudorandom function, whenever 
the random bits is needed in a execution, the prover applied the pseudorandom 
function to what he have seen so far to generate random bits. 

Let's Consider concurrent soundness of the above protocol. Imagine that a 
malicious prover convince a honest verifier of a false statement on a session (we 
call it a cheating session) in an execution of concurrent attack with high probabil- 
ity. Then we can use this session to break some hardness assumption: after the 
first run of this session, we rewind it to the point where the verifier is required 
to send a challenge and chooses an arbitrary challenge and run the simulator for 
this underlying resettably- sound zero knowledge proof. At the end of the second 
run of this session, we will extract one of preimages of y and y x from the two 
different transcripts, and this contradicts either the witness indistinguishability of 

or the binding property of the commitment scheme COM^ Note that in the 
above reduction we just need to simulate the single execution of the resettably- 
sound zero knowledge argument in that cheating session, and do not care about 
other sessions that initiated by the malicious prover (in other sessions we play the 
role of honest verifier). We have showed the simulation in this special concurrent 
setting can be done in a simple way in last section. 

The Protocol (rZK argument with concurrent soundness in BPK model) 

Let {prf r : {0,1}* -> {0, l} d ^} r£ {o,i}" be a pseudorandom function en- 
sembles, where d is a polynomial function, COM be a statistically-binding com- 
mitment scheme, and let CO Mi be a general commitment scheme (can be either 
statistically-binding or computational-binding 4 ). Without loss of generality, we 
assume both the preimage size of the one-way function / and the message size of 
CO Mi equal n. 

4 If the computational-binding scheme satisfies perfect-hiding, then this scheme requires 
stronger assumption, see also 1 511 1201 
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Common input: the public file F, n-bit string x G L, an index i that specifies 
the i-th entry pki = (/, y , i/x) (/ is a one-way function) of F. 

P's Private input: a witness w for rr G L, and a fixed random string (ri, r 2 ) G 
{0,l} 2n . 

V's Private input: a secret key a (y = f(a) or y 1 = /(a)). 
Phase 1:V Proves Knowledge of ct and Sends a Committed Challenge to P. 

1. V and P runs the 3-round partial-witness-independently witness indistin- 
guishable protocol (SoR-protocol) IT^ in which V prove knowledge of a 
that is one of the two preimages of y and y\. the randomness bits used by 
P equals r\ ; 

2. F computes c e = COM (e, r e ) for a random e (r e is a random string needed 
in the scheme), and sends c e to P. 

Phase 2: P Proves x G P 

1. P checks the transcript of 11^ is accepting, if so, go to the following step. 

2. P chooses a random string s, \s\ = n, and compute c = COMi(s, r s ) by 
picking a randomness r s ; P forms a new relation R'={(x, y 0: y±, c, w') \ 
(x,w') G P L V(w' = (w",r w «)Ay = f(w")Ac = COM^w", r„»))V(w' = 
(w",r w //) A yi = /(«;") A c = COMi(w", r w «)))}; P invokes the 3- 
round witness indistinguishable argument of knowledge (So^-protocol) H p 
in which P prove knowledge of w' such that (x, y 0: y±, c; w') G R', com- 
putes and sends the first message a of H p . 

All randomness bits used in this step is obtained by applying the pseudo- 
random function prf r2 to what P have seen so far, including the common 
inputs, the private inputs and all messages sent by both parties so far. 

3. V sends e to P, and execute a resettably sound zero knowledge argument 
with P in which V proves to P that 3 r e s.t. c e = COM (e, r e ). Note that 
the subprotocol will costs several (constant) rounds. Again, the randomness 
used by P is generated by applying the pseudorandom function prf T2 to 
what P have seen so far. 

4. P checks the transcript of resettably sound zero knowledge argument is 
accepting, if so, P computes the last message z of il p and sends it to V. 

5. V accepts if only if (a, e, z) is accepting transcript of Ii p . 
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Theorem 1. Let L be a language in J\fV, If there exists hash functions 
collision-resistant against any polynomial time adversary, then there exists a con- 
stant round rZK argument with concurrent soundness for L in BPK model. 

Remark on complexity assumption. We prove this theorem by showing 
the protocol described above is a rZK argument with concurrent soundness. In- 
deed, our protocol requires collision-resistant hash functions and one-way per- 
mutations, this is because the 3-round S-protocol (therefore E OR -protocol) for 
MV assumes one-way permutations and the resettably sound zero knowledge 
argument assumes collision-resistant hash functions. However, we can build 4- 
round S-protocol (therefore £ ,r -protocol) for HV assuming existence of one- 
way functions by adding one message (see also discussions on S-protocol in sec- 
tion 2), and our security analysis can be also applied to this variant. We also note 
that collision-resistant hash functions implies one-way functions which suffices 
to build statistically-binding commitment scheme [ 19|(therefore computational- 
binding scheme), thus, if we proved our protocol is a rZK argument with concur- 
rent soundness, then we get theorem 1. Here we adopt the 3-round £ 0ir protocol 
just for the sake of simplicity. 

Proof. Completeness. Straightforward. 

Resettable (black-box) Zero Knowledge. The analysis is very similar to the 
analysis presented in lIUED. Here we omit the tedious proof and just provide 
some intuition. As usual, we can construct a simulator Sim that extracts all secret 
keys corresponding to those public keys registered by the malicious verifier from 
n„ and then uses them as witness in executions of U p , and Sim can complete 
the simulation in expected polynomial time. We first note that when a malicious 
verifier resets a an honest prover, it can not send two different challenge for a 
fixed commitment sent in Phase 1 to the latter because of statistically-binding 
property of COM and resettable soundness of the underlying sub-protocol used 
by the verifier to prove the challenge matches the value it has committed to in 
Phase 1. To prove the property of rZK, we need to show that the output of Sim 
is indistinguishable form the real interactions. This can be done by constructing 
a non-uniform hybrid simulator HSim and showing the output of HSim is indis- 
tinguishable from both the output of Sim and the real interaction. HSim runs as 
follows. Taking as inputs all these secret keys and all the witnesses of statements 
in interactions, HSim computes commitments exactly as Sim does but executes 
lip using the same witness of the statement used by the honest prover. It is easy 
to see that the output of the hybrid simulator is indistinguishable from both the 
transcripts of real interactions (because of the computational-hiding property of 
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COMx) and the output of Sim (because of the witness indistinguishability of U p ), 
therefore, we proved the the output of Sim is indistinguishable form the real in- 
teractions. 

Concurrent Soundness. Proof proceeds by contradiction. 

Assume that the protocol does not satisfy the concurrent soundness property, 
thus there is a s-concurrently malicious prover P*, concurrently interacting with 
V, makes the verifier accept a false statement x L in jth session with non- 
negligible probability p. 

We now construct an algorithm B that takes the code (with randomness hard- 
wired in)of P* as input and breaks the one-wayness of / with non-negligible 
probability. 

B runs as follows. On input the challenge /, y (i.e., given description of one- 
way function, B finds the preimage of y), B randomly chooses a E {0, 1}", b E 
{0, 1}, and guess a session number j E {1, s}(guess a session in which P* will 
cheat the verifier successfully on a false statement x. Note that the event that this 
guess is correct happens with probability l/s), then B registers pk = (/, y , y x ) 
as the public key, where y b = /(a), y\- b = y- For convenience we let x b = a, 
and denote by xi_ b one of preimages of y X -b (yi-b — V — f( x i~b))- Our goal is 
to find one preimage of yi-b- 

We write B as B = (B rea i, Bj). B interacts with P* as honest verifier (note that 
B knows the secret key a corresponding the public key pk) for all but jth session. 
Specifically, B employs the following extraction strategy: 

1. B acts as the honest verifier in this stage. That is, it completes IT„ using 
a = x b as secret key, and commits to e, c e = COM (e, r e ) in phase 1 then 
runs resettably sound ZK argument in Phase 2 using e, r e as the witness. 
In particular, B uses B^ to play the role of verifier in the jth session, and 
uses B rea i to play the role of verifier in all other sessions. At the end of 
jth session, if B gets an accepting transcript (a, e, z) of Tl p , it enters the 
following rewinding stage; otherwise, B halts and output " _L" 

2. Bj rewind P* to the point of beginning of step 3 in Phase 2 in jth session, 
it chooses a random string e' ^ e and simulates the underlying resettably 
sound ZK argument in the same way showed in section 3: it commits to the 
hash value of the joint residual code of P* and B rea ; in the second round 
of the resettably sound ZK argument (note this subprotocol is transformed 
from Barak's protocol) and uses them as the witness to complete the proof 
for the following false statement: 3 r e s.t. c e = COMo(e', r e ). If this 
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rewinds incurs some other rewinds on other sessions, B rea i always acts as 
an honest verifier. When B get another accepting transcript (a, e', z') of U p 
at step 5 in Phase 2 in jth session, it halts, computes the witness from the 
two transcripts and outputs it, otherwise, B plays step 3 in jth session again. 

We denote this extraction with Extra. 

We first note that B's simulation of P*'s view only differs from P*'s view in 
real interaction with an honest verifier in the following: In the second run of H p in 
jth session B proves a false statement to P* via the resettably sound zero knowl- 
edge argument instead of executing this sub-protocol honestly. We will show that 
this difference is computationally indistinguishable by P* using the technique 
presented in the analysis of resettable zero knowledge property, or otherwise we 
can use P* to violate the zero knowledge property of the underlying resettably 
sound zero knowledge argument or the statistically-binding property of the com- 
mitment scheme COM . We also note that if the simulation is successful, B gets 
an accepting transcript of U p in stage 1 with probability negligibly close to p, and 
once B enters the rewinding stage (stage 2) it will obtain another accepting tran- 
script in expected polynomial time because p is non-negligible. In another words, 
B can outputs a valid witness with probability negligibly close to p in the above 
extraction. 

Now assume B outputs a valid witness w' such that (x, y , yi, c, w') € R', 
furthermore, the witness w' must satisfy w' = (w", r w «) and y b = f(w") or y x _ h = 
f(w") because x ^ L. If yi_ b = f(w"), we break the one-way assumption of / 
(find the one preimage of yi-b), otherwise(i.e., w" satisfies y b = f(w")), we fails. 
Next we claim B succeed in breaking the one-way assumption of / with non- 
negligible probability. 

Assume otherwise, with at most a negligible probability q, B outputs one 
preimage of yi_ 6 . Then We can construct a non-uniform algorithm B' (incor- 
porating the code of P*)to break the witness indistinguishability of IT„ or the 
computational binding of the commitment scheme CO Mi. 

The non-uniform algorithm B' takes as auxiliary input (y , y 1 , x , x±) (with 
input both secret keys) and interacts with P* under the public key (y ,yi). It 
performs the following experiment: 

1. Simulation (until B' receives the first message a ofH p in jth session). B' 
acts exactly as the B. Without loss of generality, let B' uses x as witness 
in all executions of Tl v that completed before step 2 in Phase 2 of the jth 
session. Once B' receives the first message a of Tl p in jth session, it splits 
this experiment and continues independently in following games: 
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2. Extracting Game 0. B' continues the above simulation and uses the same 
extraction strategy of B. In particular, it runs as follows. 1) continuing to 
simulate: B uses x as witness in all executions of II t, that take place during 
this game; 2) extracting: if B obtained an accepting transcript (a, e , zq) 
at the end of the first run of Tl p in jth session, it rewinds to the point of 
beginning of step 3 in Phase 2 in jth session and replays this round by 
sending another random challenge e' ^ e until he gets another accepting 
transcript (a, e' , z' Q ) of n p , and then B outputs a valid witness, otherwise 
outputs " _L" . 

3. Extracting Game T. B' repeats Extracting Game but B' uses x\ as wit- 
ness in all executions of U v during this game (i.e., those executions of n„ 
completed after the step 2 in Phase 2 in the jth session). At the end of this 
game, B' either obtains two accepting transcripts (a, ei, zi), (a, e[, z[) and 
outputs an valid witness, or outputs " _L" . Note that an execution of n„ that 
takes place during this game means at least the last (third) message of IT^ in 
that execution has not yet been sent before step 2 in Phase 2 in jth session. 
Since the 11^ is partial-witness-independent S-protocol (so we can decide 
to use which witness at the last (third) step of H v ), B' can choose witness at 
its desire to complete that execution of 11^ after the step 2 in Phase 2 in the 
jth session. 

We denote by EXP the Simulation in stage 1 described above with its first 
continuation Extracting Game 0, similarly, denote by EXPi the same Simulation 
with its second continuation Extracting Game 1 . 

Note that the P*'s view in EXP is identical to its view in EXTRA in which 
B uses x (b = 0)as witness in all executions of n„, so the outputs of B' at the 
end of EXP is identical to the outputs of B taking x as the secret key in EXTRA, 
that is, with non-negligible probability p B' outputs one preimage of y , and with 
negligible probability q it outputs one preimage of y\. 

Consider B's behavior in EXTRA when it uses xi(b = l)as the secret key. The 
behavior of B only differs from the behavior of B' in EXP 1 in those executions 
of Tl v that completed before the step 2 in Phase 2 in the jth session: B' uses 
xq as witness in all those executions, while B uses x\ as witness. However, the 
P* cannot tell these apart because is witness indistinguishable and all those 
executions of 11^ have not been rewound during both EXTRA and EXP\ (note that 
B' does not rewind past the the step 2 in Phase 2 in the jth session in the whole 
experiment). Thus, we can claim that at the end of EXP X , B' outputs one preimage 
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of y 1 with probability negligibly close to p, and it outputs one preimage of y with 
probability negligibly close to q. 

In the above experiment conducted by B, the first message a sent by P* in 
the jth session contains a commitment c and this message a (therefore c) re- 
mains unchanged during the above whole experiment. Clearly, with probability 
negligibly close to p 2 (note that q is negligible), B' will output two valid wit- 
ness w' = (wo",r wo ") and w[ = (wi",r wi ") (note that w " ^ w\ except for a 
very small probability) from the above two games such that the following holds: 
Vo = f(W), Vi = f{wi"), c = COMi(W,wO and c = COMi(W,rwO. 
This contradicts the computational-binding property of the scheme COMi. 

In sum, we proved that if COM^ enjoys computational-binding and Yl v is wit- 
ness indistinguishable protocol with partial-witness-independence property, then 
B succeeds in breaking the one-wayness of / with non-negligible probability. In 
another words, if the one-way assumption on / holds, it is infeasible for P* to 
cheat an honest verifier in concurrent settings with non-negligible probability. □ 

Acknowledgments. Yi Deng thanks Giovanni Di Crescenzo, Rafael Pass, Ivan 
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